Re: Getting wg(4) NetBSD server to work with WireGuard(R) macOS client

Mon, 13 Jan 2025 05:19:32 -0800 

Greg Troxel <g...@lexort.com> wrote:
> RVP <r...@sdf.org> writes:
> 
> > Can you start over? And this time, run script(1) on both the client and 
> > server
> > and do the config. within that so that we can get a verbatim transcript. 
> > Just
> > edit the `typescript' files to redact any info. you consider sensitive, and 
> > to
> > get rid of the `\r' chars.
> 
> Better yet, write a shell script that first clears everything, and then
> does all the config.

Good idea. Okay here's the script, ran on the NetBSD server:

        #!/bin/sh

        # clearing everything
        wgconfig wg0 delete peer sevastopol
        ifconfig wg0 destroy
        rm -rf /etc/wg

        # setup
        mkdir -p /etc/wg
        (umask 0077; wg-keygen > /etc/wg/wg0)
        wg-keygen --pub < /etc/wg/wg0 > /etc/wg/wg0.pub
        cat /etc/wg/wg0.pub                                                     
                                                                                
         

        ifconfig wg0 create
        ifconfig wg0 inet 10.2.0.1/24
        ifconfig wg0 inet6 fd00:2::1/64

        wgconfig wg0 set private-key /etc/wg/wg0
        wgconfig wg0 set listen-port 9443
        wgconfig wg0 add peer sevastopol \
                NJrA59aVt7zVv0KFWoICioASAj7lhLhkmRV3gdDwH14= \
                --allowed-ips=10.2.0.42/32,fd00:2::42/128

        ifconfig wg0 up
        ifconfig wg0

        sysctl -w net.inet.ip.forwarding=1
        sysctl -w net.inet6.ip6.forwarding=1

        wgconfig wg0

And the output:

6V4GegyDijmPI+iWBmEyZEDsd1fIVt7XL2+zC7PuqU8=
wg0: flags=0x8041<UP,RUNNING,MULTICAST> mtu 1420
        status: active
        inet6 fe80::1457:1bc8:34cf:69c0%wg0/64 flags 0x2<TENTATIVE> scopeid 0x3
        inet6 fd00:2::1/64 flags 0x2<TENTATIVE>
        inet 10.2.0.1/24 flags 0
net.inet.ip.forwarding: 1 -> 1
net.inet6.ip6.forwarding: 1 -> 1
interface: wg0
        private-key: (hidden)
        listen-port: 9443
        peer: sevastopol
                public-key: NJrA59aVt7zVv0KFWoICioASAj7lhLhkmRV3gdDwH14=
                endpoint: (none)
                preshared-key: (hidden)
                allowed-ips: 10.2.0.42/32,fd00:2::42/128
                latest-handshake: (never)

The macOS WireGuard client config:

        [Interface]
        PrivateKey = ****
        Address = 10.2.0.42/24

        [Peer]
        PublicKey = 6V4GegyDijmPI+iWBmEyZEDsd1fIVt7XL2+zC7PuqU8=
        AllowedIPs = 1.0.0.0/8, 2.0.0.0/8, 3.0.0.0/8, 4.0.0.0/6, 8.0.0.0/7,
        11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2,
        128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11,
        172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4,
        192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16,
        192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10,
        193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4
        Endpoint = starbewastie.rnkn.xyz:9443

Connects, successful handshake, but client recives no more than a
bytes on the client. tcpdump on the physical device vioif0 while
pinging 10.2.0.1 on the client:

# tcpdump -tn -i vioif0 port 9443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vioif0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 148
IP 64.176.222.118.9443 > 1.146.105.131.3100: UDP, length 92
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 1424
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 1424
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 64.176.222.118.9443 > 1.146.105.131.3100: UDP, length 32
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 1424
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 1424
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 1424
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
[...]
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 1424
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 64.176.222.118.9443 > 1.146.105.131.3100: UDP, length 32
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96
IP 1.146.105.131.3100 > 64.176.222.118.9443: UDP, length 96

tcpdump on the wg0 device while pinging 10.2.0.1 on the client:

# tcpdump -tn -i wg0 port 9443                                                  
                                                                                
                 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wg0, link-type NULL (BSD loopback), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

Thanks in advance :)

-- 
Paul W. Rankin
https://rnkn.xyz

Reply via email to